Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-29927 -- CVSS 9.1 Vulnerability Briefing

CVE-2025-29927 | CVSS 9.1 (Critical) | Exploit: PoC available

What Is It

CVE-2025-29927 is an authorization bypass vulnerability in Vercel's Next.js React framework, affecting the middleware layer used to enforce access controls in full-stack web applications.

Technical Detail

The flaw exists in how Next.js processes the internal x-middleware-subrequest HTTP header. An attacker can include this header in an external request to trick the application into treating the request as an internal subrequest, causing middleware-based authorization checks to be skipped entirely. The impact is a complete bypass of any access control logic implemented in Next.js middleware, potentially exposing protected routes, administrative interfaces, or sensitive application functionality to unauthenticated or unauthorized users. The vulnerability affects all Next.js versions from 1.11.4 through the patched releases of the 12, 13, 14, and 15 branches.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of this writing, but the simplicity of the attack vector and the availability of PoC code significantly lower the barrier for exploitation. Organizations should treat this as high-priority given the ease with which the bypass can be triggered via a single crafted HTTP header.

Who Is Targeting This

No specific threat actor attribution at this time. Given the widespread deployment of Next.js across commercial and enterprise web applications, opportunistic scanning and exploitation by unattributed actors is a realistic near-term concern.

What To Do

Upgrade Next.js to one of the patched versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3, depending on the branch in use. If immediate patching is not feasible, implement a network or reverse proxy layer rule to strip or block any inbound requests containing the x-middleware-subrequest header before they reach the Next.js application. This header should never originate from external clients and can be safely dropped at the edge. Organizations should audit any application that relies on Next.js middleware as the sole enforcement point for authorization, as this pattern is the specific attack surface exploited by this vulnerability. Detection can be aided by inspecting web server and proxy logs for requests containing the x-middleware-subrequest header originating from external IP addresses.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →